DoS Protection Policy Rules
Specify which resources to protect from DoS attacks and
how to protect them.
DoS Protection policy rules control the systems to which
the firewall applies DoS protection (the flood thresholds configured
in DoS Protection profiles that you attach to DoS Protection policy
rules), what action to take when traffic matches the criteria defined
in the rule, and how to log DoS traffic. Because DoS protection
consumes firewall resources, use it only to defend specific critical resources
against session floods, especially common targets that users access
from the internet, such as web servers and database servers. Use
Zone Protection profiles to protect entire zones against floods
and other attacks. DoS Protection policy rules provide granular
matching criteria so that you have the flexibility to define exactly what
you want to protect:
Source zone, interface, IP address (including whole regions), and
user.
Destination zone, interface, and IP address (including whole regions).
Services (by port and protocol). DoS protection applies only
to the services you specify. However, specifying services doesn’t
allow the services and implicitly block all other services. Specifying
services limits DoS protection to those services, but doesn’t block
other services.
In addition to protecting service ports
in use on critical servers, you can also protect against DoS attacks
on the unused service ports of critical servers. For critical systems,
you can do this by creating one DoS Protection policy rule and profile
to protect ports with services running, and a different DoS Protection
policy rule and profile to protect ports with no services running.
For example, you can protect a web server’s normal service ports,
such as 80 and 443, with one policy/profile, and protect all of
the other service ports with the other policy/profile. Be aware
of the firewall’s capacity so that servicing the DoS counters doesn’t
impact performance.
When traffic matches a DoS Protection policy rule, the firewall
takes one of three actions:
Deny—The firewall denies access and doesn’t apply
a DoS Protection profile. Traffic that matches the rule is blocked.
Allow—The firewall permits access and doesn’t apply
a DoS Protection profile. Traffic that matches the rule is allowed.
Protect—The firewall protects the devices defined
in the DoS Protection policy rule by applying the specified DoS
Protection profile or profiles thresholds to traffic that matches
the rule. A rule can have one aggregate DoS Protection profile and
one classified DoS Protection profile, and for classified profiles,
you can use the source IP, destination IP, or both to increment
the flood threshold counters, as described in
Classified Versus Aggregate DoS
Protection. Incoming packets count against both DoS Protection
profile thresholds if the they match the rule.
The firewall applies DoS Protection profiles only if the Action is Protect.
If the DoS Protection policy rule’s Action is Protect,
specify the appropriate aggregate and/or classified DoS Protection
profiles in the rule so that the firewall applies the DoS Protection
profile’s thresholds to traffic that matches the rule. Most rules
are Protect rules.
The Allow and Deny actions
enable you to make exceptions within larger groups but do not apply
DoS protection to the traffic. For example, you can deny the traffic
from most of a group but allow a subset of that traffic. Conversely,
you can allow the traffic from most of a group and deny a subset
of that traffic.
You can Schedule when a DoS Protection
policy rule is active (start and end time, recurrence period). One
use case for scheduling is to apply different flood thresholds at
different times of the day or week. For example, if your business
experiences significantly less traffic at night than during the
day, you may want to apply higher flood thresholds during the day
than at night. Another use case is to schedule special thresholds
for special events, providing that the firewall supports the CPS
rates.
For easier management and granular reporting, configure Log Forwarding to
separate DoS protection logs from other threat logs. Forward DoS
threshold violation events directly to the administrators via email
in addition to forwarding the logs to a server such an SNMP or syslog
server. Providing that the firewalls are appropriately sized, threshold
breaches should not be frequent and will be strong indicators of
an attack attempt.